WannaCry Ransomware Still Active on Thousands of Infected Computers

The WannaCry ransomware that spread globally in 2017 could still be very active, with reports stating that thousands of computers are still infected.

Hackers breaking server using multiple computers and infected virus ransomware. Cybercrime, technology, phishing mail concept.

WannaCry ransomware has continued to remain in the news ever since its outbreak in 2017. The widespread ransomware attack infected the PCs of the general public and large organizations around the world.

Recent reports say that there is a chance that thousands of computers are still infected by it.

Ransomware is a malware that hides the files of the victim and holds the information hostage until a ransom is paid, often requested in Bitcoin. There is also a time limit set in many cases, and if the money is not paid within the specified time, the user’s files get deleted permanently.

The First News Released About WannaCry

In 2017, this specific type of ransomware made its way into the news headlines. The reason for worldwide concern was how fast it spread, and the damage it caused to hospitals in the U.K. when the affected institutions had to shut down their non-emergency services. This malware was also called by several other names such as WannaDecryptor, WannaCryptor and WannaCrypt.

When the WannaCry ransomware was first revealed, a domain was registered by a security researcher which worked as a kill switch to halt the infection. The ransomware component would not activate if the infection could connect to this domain. It would continue to run quietly in the background. At the same time, it would regularly connect to the domain of the kill switch to confirm it was still active.

Countries Still Affected by WannaCry

In a recent Twitter thread, security and threat intelligence researcher Jamie Hankins of Kryptos Logic revealed data showing that a number of IP addresses from nearly 200 different countries continue to connect with the kill switch.

Cloudflare hosts this kill switch now to offer protection from DDoS (Distributed Denial of Service) attacks. The domain of the WannaCry kill switch gets more than 17 million connections in a week’s time, according to Hankins. Over 630,000 different IP addresses from 194 countries have been sending these connections in a single week. The top three countries that are still affected by this ransomware are Vietnam, Indonesia and China.

According to Hankins, the U.K. has .15 percent of the connections from the total with the U.S. at 1.35 percent for the statistics in a single day.

The number of connections is less on the weekends when compared to normal working days, according to a graph posted by Hankins. The reason for this is that users come into office on working days and turn on their computers.

Big Data internet information technology concept. 3D rendering mixed media.

Over 630,000 different IP addresses from 194 countries have been sending these connections in a single week.

Organizations Need to Boost Their Security

Security experts have pointed out that the WannaCry ransomware kicks in when you have an internet outage and the kill switch domain is no longer accessible.

Hankins recommends the use Kryptos Logic’s TellTale service to search and ensure users’ IP addresses are unknown to come under the attack of WannaCry.

Kryptos Logic came up with TellTale in April 2018 which allows organizations supervise their IP addresses for known infections. By making use of this service, organizations will know if their computers are attacked by WannaCry and other threats identified by Kryptos Logic.

With so many organizations still under the attack of WannaCry and other malware, TellTale can be helpful in notifying the organizations in case they are infected.

The Old Ghost May Haunt Again

Given the fact that thousands of computers are still showing signs of possessing the WannaCry virus, there is a possibility that they might be affected anytime in the near future.

People would still remember the days when the virus spread like wildfire, affecting thousands of systems every single day and in every part of the world. However, there haven’t been reports about new ransom demands in the recent past, which could be due to the fact that the price of cryptocurrencies, especially Bitcoin, has dropped almost 80 percent from its peak in December 2017.

Most of the ransom demands were made in Bitcoins, and attacks might resume again if the value of Bitcoin starts surging upwards.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.